IIS+and+Kerberos.docx

IIS+and+Kerberos.docx

《IIS+and+Kerberos.docx》由会员分享，可在线阅读，更多相关《IIS+and+Kerberos.docx（21页珍藏版）》请在冰豆网上搜索。

IIS+and+Kerberos

IISandKerberosPart6-NewinIIS7

Note:

previousarticles

WindowsServer2008andIIS7.0introducesomechangestothewaythatyouneedtoimplementKerberossupport.ThethreemajorchangesthatI'mawareofare:

1.ServicePrincipalNames（SPNs）nolongerneedtoberegisteredundertheaccountthatthewebapplicationpoolisrunningunder.Instead,inadefaultconfigurationyoucanrunthewebapplicationpoolunderanyaccount（customuseraccount,orLocalSystem,LocalServiceorNetworkService）andregistertheSPNunderthemachineaccountinActiveDirectory.Seethispostformoredetails.

2.YourwebapplicationpooldoesnotneedLocalSystemprivilegestobeabletoperformprotocoltransition.YoucandothisusingNetworkService.

3.Ifyouwanttouse inweb.config foryourASP.NETpages,youneedtodisablevalidateIntegratedModeConfigurationifyouareusingtheIntegratedModePipeline.Otherwiseyou'llgeta500.24error. YoucaneithersetvalidateIntegratedModeConfigurationtoFalseoryoucanruninClassicModePipeline

NewinIIS7-KernelModeAuthentication

WindowsServer2003SP1introduceskernelmodeSSL.WindowsServer2008takesthisonestepfurtherandintroduceskernelmodeauthentication.ThiscanbeutilisedbyIIS7.0applicationstoimproveperformance.ItalsohasimplicationsforKerberosauthenticationandmanagementofSPNs.

Considerthefollowingscenario:

EnsuringKerberosAuthNforApp1wouldn’tbepossibleinIIS6/5（earlierversionswerepre-Windows2000sodidn’tsupportKerberos）.ThiswasbecauseSPNsarebasedonaFQDNandtheSPNforhttp/couldonlyberegisteredunderasingleaccount（andnotunderthetwodifferentaccountsthatAppPool1andAppPool2areusing）.

InWindowsServer2008thereissupportforanewkernelmodeauthentication.Iamsupposingthatthisisimplementedinksecdd.sys,butitmaybeimplementedelsewhere.Whenusingkernelmodeauthentication,theserviceticketisdecryptedbytheserver（akamachineaccount）,notbytheuseraccountthatthewebapppoolisrunningunder.

Becauseofthis,it’spossibleto:

∙RegistereverySPNforeachapplicationhostedwebserverunderthemachineaccountinActiveDirectory,regardlessoftheidentityofthewebapppoolthattheapplicationisbeinghostedin

∙RunmultiplewebapplicationshostedatthesameFQDNunderwebapppoolsthatare,inturn,runningundermultipleWindowsidentities.

Edit:

AnilfromtheIISProduct Grouppointedoutanerrorinmyadvicebelow（it'snotnecessarytoactuallydisableKernelModeAuthentication）. Ihaveupdatedthesectionbelow:

Thereisacaveat.Thisisbecausetheserviceticketdecryptiontakesplaceusingtheserver’sADmachineaccount.Ifyouareusingawebfarm,thentheKDCdoesn’tknowinadvancewhichindividualserverwillbeservicingtherequest.Inthatcase,it'simpossibletodeterministicallyregistertheSPNunderasinglemachineaccount.Instead,youwillneedto:

∙DisablekernelmodeauthenticationConfigureIIStousethewebapplicationpool'sidentityforKerberosserviceticketdecryption

∙Runthewebapppoolunderacommondomainuseraccount

∙BerestrictedtorunningallwebapplicationaccessibleatthatFQDNunderwebapppoolsthatareusingthesamedomainuseraccountabove

Ifyouareinthissituation,thenyoucandisablekernelmodeauthenticationenabletheuseofthewebapppool'sidentityforKerberosserviceticketdecryptionbysettingthepropertyuseAppPoolCredentialstotrueforthewebapplicationorwebsiteinquestion.Anexamplewouldbe:

IISandKerberos.Part1-WhatisKerberosandhowdoesitwork?

Edit:

I'vecreatedalistofallthepartsinthisserieshere,whichwillbeupdatedasIaddmoreparts. 

ConfiguringKerberosandDelegationisoneofthemorecommonproblemsIseeinthecommunitiesandevenwithinAvanade.SinceKerberosisn'tasimpletopic,I'mgoingtowriteaquickseriesexplaininghowKerberosworks,commonscenariosandproblemsandsometroubleshootingtips.

KerberosisanopenauthenticationprotocoldevelopedatMIT,andimplementedinWindows2000/2003ActiveDirectorydomains（amongstotherplaces）.Authenticationistheprocessofprovingyouridentitytoaremotesystem.Youridentityiswhoyouare,andauthenticationistheprocessofprovingthat.Inmanysystemsyouridentityisyourusername,andyouuseasecretsharedbetweenyouandtheremotesystem（apassword）toprovethatyouridentity.

Theproblemwithsimplisticsharedsecretsystemsistwo-fold:

a）thereisascalabilityproblem.Ifeveryuserneedstomaintainasharedsecretwitheveryindividualserver（oreveryserviceoneveryserver!

）thenthatresultsinpoorpasswords.Userscannotbeexpectedtorememberdozens,hundredsorthousandsofuniquepasswordsandsoenduprepeatingthemregardlessofwhethertheserverisalowsecurityorhighsecurityresource

b）thereisanissueinsecurelytransmittingthesharedsecretfromtheusertotheserver.Varioustechnologies（likeTLS/SSL）existforsecuringthetransportofdatabetweenmachines,howeveritisincumbentuponeachservicetoutiliseserviceslowerdowninthenetworkstack.

Kerberosisdesignedtoovercometheselimitations.InthispartwelookathowasimpleKerberosimplementationworks.Inthisscenariowehaveauserusingaclientmachinethatwishestoconnecttoaremoteservice（theuserhereisapersonorapplication,theclientistheOSormachine）.Rememberthatwewantasystemthatallowsustostoresharedsecretscentrally,andtosecurelytransmitusercredentialsbetweenclientandservice.Lastlyweshouldlooktopreventreplayattacks（wheresomeonewhoissniffingthewirecanreplaycapturedpacketstoimpersonatealegitimateuser,eveniftheydonotknowhowtocreatetheauthenticationpacketsthemselves）.

TobeginwithweintroducetheKerberosKDC-KeyDistributionCentre.IntheWindowsActiveDirectoryworld,theKDClivesonDomainControllers（DCs）.TheclientconnectstotheAuthorisationService（AS）thatrunsontheKDCandaskstheAStoauthenticatetheusertotheremoteservice.Technically,theclientdoesn'tneedtoauthenticateitselftotheDomainController.HoweverintheActiveDirectoryworld,somethingcalledpre-authenticationisusedtoensurethattheuser（orclientapplication）isactuallywhotheysaytheyare.

TheASontheKDCgeneratesasessionkeythatwillbeusedbytheclientandtheremoteservice.Itencryptsthesessionkeywiththeuser'spassword（thisiswhytheuserdoesn'tneedtoauthenticate-iftheuserisn'twhotheysaytheyare,theywon'tbeabletodecryptthesessionkeybecausetheydon'tknowtheuser'spassword）.TheKDCalsopreparesasecondpieceofdata-itagainencryptsthesessionkeyaswellastheuser'susername（knownasaKerberosprincipal）,butusingtheservice'spasswordthistimetoencryptthedata.Onlytheremoteservicewillbeabletodecryptthissecondpieceofdata.ThissecondpieceofdataisknownastheServiceTicket（orjustTicket）.

TheKDCnowsendsbothpiecesofdatabacktotheclient.Theuser,knowingtheirownpassword,isabletodecryptthefirstpieceofdata,andextractthesessionkey.Theuserhoweverdoesnotknowtheservice'spassword,soisunabletodecryptthesecondpieceofdata.Theclientusesthesessionkeytoencryptthecurrenttime（amongstotherthings,buttheyaren'tsoimportantrightnow）.ThispieceofdataisknownastheAuthenticator.TheclientsendstheAuthenticatoritjustgenerated,alongwiththeServiceTicketreceivedfromtheKDCtotheremoteservice.

TheremoteserviceisabletodecrypttheServiceTicketusingitsownpassword.Itisthusabletogetaccesstothesessionkey,andthePrincipal（user）attemptingtoconnect.ItnowusesthesessionkeytodecrypttheAuthenticator,andextractthetime.Itcomparesthetimetothecurrentsystemtimeontheservertoensureamatch.Sinceonlytheservice,theKDCandtheuser,knowthesessionkeythentheservicecanassumethatusermustbewhotheysaytheyare.

IfanimpostersentaServiceTickettotheservice（e.g.byreplayingcapturedpackets）theywouldn'tknowthecorrectsessionkeynecessarytoencryptthetimestampcorrectly.Alternatively,iftheimposterattemptstousecapturedAuthenticatorpackets（whichcontainatimestamp）,thusbypassingtheneedtoknowthesessionkey,thenthetimeswillnotmatchwhentheAuthenticatorisdecryptedbytheserviceandtheservicewillrefusetoauthenticatetheremoteuser.

IfthiswastheextentoftheKerberos,theneachandeverytimetheclientreceivedanencryptedsessionkeyfromtheKDC,theuserwouldneedtoentertheirpasswordtoallowtheclientmachineaccesstoit.Thatcouldrapidlybecomeaproductivitysinkhole（imaginehavingtoenteryourpasswordforeachandeveryHTTPrequestyoumade!

）.Togetaroundthis,theclientmachinecouldcachetheuser'spassword,butthatisn'taparticularysecuresystem.WhatKerberosdoesisintroducetheconceptofaTicketGrantingTicket（TGT）.

TicketGrantingTicketsareissuedbytheASrunningontheKDCinthesamewaythatanormalserviceticketisissued.HowevertheTGTisvalidfortheTicketGrantingService,ratherthanaremoteHTTPserver（oranyothertypeofserver）.Whenevertheuserwishestoconnecttoaremoteservice,itcanusetheTGTthatithasalreadyreceivedtoconnecttotheTGS.TheTGS,afterauthenticatingtheuserviatheTGT,issues